Is a search engine like Punkspider legal?


Legal question:
I read that the search engine Punkspider will be relaunched during the Defcon hacker conference in August. This will then scan millions of websites for vulnerabilities every day. The results can then be found via the search engine, which according to the developers should ensure a safer web. How on earth is that legal, let alone ethical?


Answer: It does indeed feel a bit strange when you read it like this: then you can go to that search engine as a criminal-to-be to see which sites are simply vulnerable. Shall I even start the "cheap front door lock spider", keyPunk.darkweb?


Whether it's legal, however, comes down to what exactly Punkspider does with their search. It reads like a form of port scanning, checking for known vulnerabilities such as SQL injection or cross-site scripting.


Apparently, they don't publish in detail what vulnerability has been found, just roughly "this site is vulnerable to data theft due to SQL injection, please don't leave anything here". (I already saw the "dumpster fire" category so I hope the message is communicated in such clear language everywhere.)


Port scanning and vulnerabilities research is punishable if you do it with the intent (the "intent", legally speaking) to then commit computer breaches or to incite others to do so. The Punkspider owners certainly do not intend to do that themselves, after all, they publish these reports precisely so that broken sites can finally fix things and so that no computer breaches will take place.


So what remains, are they inciting criminals to abuse the vulnerabilities found? At first, glance that doesn't seem to be the case. So I don't immediately see the criminality of this search engine unless it turns out that people make it very easy to immediately carry out a break-in with a given exploit. For that we have to wait for the final publication, but it seems strong to me.

Previous Post Next Post